BSIMM12 reports increased attention on software security due to recent supply chain disruptions. Get recommendations for managing supply chain risks.
As the global pandemic disrupted the way business is conducted, the workforce became more dispersed and moved far from the traditional secure enterprise environments. During this time of upheaval, hackers have seized the opportunity provided by a much larger and vulnerability-prone attack surface to launch a record number of software supply chain and ransomware attacks.
The most recent attacks (SolarWinds and Kaseya for supply chain, and Colonial Pipeline, NBA, and Kia Motors for ransomware) have been highly disruptive. The European Union Agency for Cybersecurity (ENISA) estimated that supply chain attacks would multiply by 4 in 2021 compared to 2020. ENISA’s research uncovered that 66% of attacks focus on the target’s code.
There’s no doubt that software supply chain security is a global issue. In May, President Biden signed an executive order that mandates improved cybersecurity, and it is expected to have broad implications—and it could be adopted by the commercial sector. One of the directives specified by the EO is “Maturation of a Software Bill of Materials (SBOM) and participation in vulnerability disclosure programs.”
The BSIMM12 report highlights how companies are responding and illustrates the software security activities adopted by companies in the BSIMM community over the last year. These activities can be grouped into three categories.
This blog post focuses on securing the software supply chain and provides best practices for strengthening the security of your own software supply chain.
Software Bill of Materials activities increased by 367% over the last two years according to BSIMM12. The data shows an increase in capabilities focused on inventorying software, including creating a software Bill of Materials (SBOM); understanding how the software was built, configured, and deployed; and increasing an organization’s ability to redeploy based on security telemetry. It’s clear that many organizations have taken to heart the need for a comprehensive and up-to-date SBOM. In addition to the SBOM activity, there are over a dozen supply chain security activities that also show an increase.
While an SBOM is at the heart of securing your software chain, there is much more to it than a simple inventory. The U.S. National Institute of Standards and Technology (NIST) has developed a Cyber Supply Chain Risk Management (C-SCRM) and Secure Software Development Framework that provides recommendations on how to manage supply chain risk. They include that organizations acquiring software should implement a comprehensive risk management program that includes a formal C-SCRM program. The program should be integrated across the organization, identify and manage critical software components and suppliers, include a plan for the entire life cycle, and more. As a part of the risk management plan, NIST also recommends the following steps:
As the saying goes, prevention is better than cure. To that end, NIST also provides recommendations for how best to prevent supply chain attacks.
Since supply chain attacks can involve disparate software from multiple third-party sources that you might not be familiar with, malicious code within the software can easily go undetected.
Mandates are being introduced globally to enforce software supply chain security, but they are still in the very early stages of being defined. There are a lot of unknowns that will be determined in the coming months and years. The only thing we can be sure of is that change is coming, and we as part of the software security community need to be prepared to adapt our roadmaps and security initiatives accordingly. Nevertheless, there are actions that you can take right now to combat supply chain attacks.
Implementing a comprehensive C-SCRM program as outlined by NIST requires four essential components.
Analyzing binaries, executables, and libraries for open source components—especially beyond trusting manifests—is equally important. It must include
Supply chain security is really the ultimate test for your SDLC. You simply cannot build security into your supply chain with a weak SDLC. Without a secure SDLC, the information in your SBOM and data such as vulnerabilities, bugs, and flaws in your code and software system design will be revealed to your customers. The executive order and other supply chain security mandates can be the spark that ignites DevSecOps activities and propels you to embrace a security culture that permeates your SDLC and entire supply chain.
Finding the right people with the required expertise and experience in implementing the right solution, and setting, managing, and enforcing the appropriate risk management policies can be a daunting task, especially with the security resources shortage we are currently facing. Synopsys offers Black Duck®, a market-leading SCA solution, as well as hundreds of security services consultants with decades of experience in supply chain security.
Chai is an engineer turned product marketer passionate about delivering value to customers. He has worked in the AppSec, cyber security, and data management industries for over 15 years.